From ae24e5784f885fd9cecf8f96f4222abcee3bac35 Mon Sep 17 00:00:00 2001 From: Yansong Zhang <916125788@qq.com> Date: Mon, 14 Jul 2025 15:03:25 +0800 Subject: [PATCH] check is member in workspace when transfer owner --- api/controllers/console/auth/error.py | 5 +++++ api/controllers/console/workspace/members.py | 17 ++++++++++++----- api/services/account_service.py | 5 +++++ 3 files changed, 22 insertions(+), 5 deletions(-) diff --git a/api/controllers/console/auth/error.py b/api/controllers/console/auth/error.py index 4bca2516e8..40227231c2 100644 --- a/api/controllers/console/auth/error.py +++ b/api/controllers/console/auth/error.py @@ -105,4 +105,9 @@ class NotOwnerError(BaseHTTPException): class CannotTransferOwnerToSelfError(BaseHTTPException): error_code = "cannot_transfer_owner_to_self" description = "You cannot transfer ownership to yourself." + code = 400 + +class MemberNotInTenantError(BaseHTTPException): + error_code = "member_not_in_tenant" + description = "The member is not in the workspace." code = 400 \ No newline at end of file diff --git a/api/controllers/console/workspace/members.py b/api/controllers/console/workspace/members.py index ea2989c442..b988e8b082 100644 --- a/api/controllers/console/workspace/members.py +++ b/api/controllers/console/workspace/members.py @@ -14,6 +14,7 @@ from controllers.console.auth.error import ( InvalidTokenError, NotOwnerError, OwnerTransferLimitError, + MemberNotInTenantError ) from controllers.console.error import EmailSendIpLimitError, WorkspaceMembersLimitExceeded from controllers.console.wraps import ( @@ -178,6 +179,9 @@ class SendOwnerTransferEmailApi(Resource): parser = reqparse.RequestParser() parser.add_argument("language", type=str, required=False, location="json") args = parser.parse_args() + ip_address = extract_remote_ip(request) + if AccountService.is_email_send_ip_limit(ip_address): + raise EmailSendIpLimitError() # check if the current user is the owner of the workspace if not TenantService.is_owner(current_user, current_user.current_tenant): @@ -185,11 +189,8 @@ class SendOwnerTransferEmailApi(Resource): if current_user.id == str(member_id): raise CannotTransferOwnerToSelfError() + - ip_address = extract_remote_ip(request) - if AccountService.is_email_send_ip_limit(ip_address): - raise EmailSendIpLimitError() - if args["language"] is not None and args["language"] == "zh-Hans": language = "zh-Hans" else: @@ -201,7 +202,10 @@ class SendOwnerTransferEmailApi(Resource): abort(404) else: member_name = member.name - + # check the member is in the workspace + if not TenantService.is_member(member, current_user.current_tenant): + raise MemberNotInTenantError() + token = AccountService.send_owner_transfer_email( account=current_user, email=email, @@ -285,6 +289,9 @@ class OwnerTransfer(Resource): member = db.session.get(Account, str(member_id)) if not member: abort(404) + + if not TenantService.is_member(member, current_user.current_tenant): + raise MemberNotInTenantError() try: assert member is not None, "Member not found" diff --git a/api/services/account_service.py b/api/services/account_service.py index 688a9d0fbb..de425a1640 100644 --- a/api/services/account_service.py +++ b/api/services/account_service.py @@ -2,6 +2,7 @@ import base64 import json import logging import secrets +from tkinter import N import uuid from datetime import UTC, datetime, timedelta from hashlib import sha256 @@ -1087,6 +1088,10 @@ class TenantService: def is_owner(account: Account, tenant: Tenant) -> bool: return TenantService.get_user_role(account, tenant) == TenantAccountRole.OWNER + @staticmethod + def is_member(account: Account, tenant: Tenant) -> bool: + """Check if the account is a member of the tenant""" + return TenantService.get_user_role(account, tenant) is not None class RegisterService: @classmethod